Large unauthorised contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa. In a demonstration video seen by the BBC, researchers were able to make a Visa payment of £1,000 without unlocking the phone or authorising the payment. The problem, applies to Visa cards set up in ‘Express Transit’ mode in an iPhone’s wallet. ” The researchers have so far demonstrated the attack only in the “lab” – and there’s no evidence that criminals are currently exploiting the hack. it’s a similar attack to having a contactless credit card terminal tapped against your wallet or purse. But this attack was rather more insidious, as it doesn’t need the card terminal any more – just a small box of electronics that can relay the fraudulent transaction elsewhere. Perhaps the greatest worry is for a lost or stolen phone. The crook doesn’t have to be concerned about being spotted by others as they carry out the attack any more.” The researchers also said the attack might be easiest to deploy against a stolen iPhone.